Re: [squid-users] Mutual TLS for the upstream example

Can we try to understand the issue again? In this setup, should squid know about the client certificate and pass it to the service backend Or maybe just terminate the clients certificate? I am not sure I understood what you need/want to do with squid. Eliezer Eliezer Croit

Re: [squid-users] Mutual TLS for the upstream example

Thank you, Eliezer! I will look into it but it appears that the underlying problem is not solvable by design of the mTLS handshake... There are corner cases that can be solved but not the original issue. On Thu, Jan 14, 2021 at 2:39 PM Eliezer Croitoru wrote: > I don’t know about Squid but I as

Re: [squid-users] Mutual TLS for the upstream example

Thank you for the very detailed explanation, Alex! Having looked at the sequence diagram of the mTLS handshake, I now see why I cannot get what I want. I can either get plain-text HTTP to mTLS-secured forwarding, or I have to have two independent legs of communication when the authenticity of cli

Re: [squid-users] Mutual TLS for the upstream example

On 1/14/21 2:41 PM, Sergey Maslyakov wrote: > Is the CONNECT tunnel designed in a way that enables it to "enrich" the > outgoing connection with mTLS authentication? If, by "designed", you are asking about HTTP protocol design, then the CONNECT tunnel is a blind TCP tunnel by that design. Hence,

Re: [squid-users] Mutual TLS for the upstream example

I don’t know about Squid but I assume varnish has this feature: https://docs.varnish-software.com/varnish-cache-plus/features/backend-ssl/ If you just need a GW without caching it should work as expected. Eliezer Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email:

[squid-users] Mutual TLS for the upstream example

Folks, Is the CONNECT tunnel designed in a way that enables it to "enrich" the outgoing connection with mTLS authentication? "tls_outgoing_options" does not seem to work the way I was hoping it does. My destination server requires mTLS authentication of the client. I have a valid key-cert pair an

Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

Hello Amos, On Thu, Jan 14, Amos Jeffries wrote: > On 13/01/21 11:27 pm, Dieter Bloms wrote: > > Hello, > > > > the wiki of squid cache project (wiki.squid-cache.org) has an incomplete > > certificate chain. > > I can't access the website with enabled sslbump and tlsv1.3 support, > > because squ

Re: [squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

On 1/14/21 1:22 AM, Greg Hulands wrote: > Can you point me to the rough location in code where the certs are sent to > the client. I would start with the following log line: > 2021/01/13 18:09:11.655 kid1| 33,5| client_side.cc(2700) sslCrtdHandleReply: > Certificate for arstechnica.com was suc

Re: [squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

Hey Greg, I am trying to test it with 5.0.4 and it seems that this site works for me with SSL BUMP. The CN and the SAN are the same so it makes sense that it should work the same on your proxy. However I do see that this domain has 2 IP addresses which might affect what you see. I am trying to

Re: [squid-users] generate-host-certificates=on fails to generate certificates for _some_ hosts

Hey Alex, Can you point me to the rough location in code where the certs are sent to the client. I tried with TLS 1.2 with openssl s_client and it returned the certs the same. Thanks, Greg > On Jan 13, 2021, at 8:44 PM, Alex Rousskov > wrote: > > On 1/13/21 9:47 PM, Greg Hulands wrote: >> I

Re: [squid-users] Incomplete Certificate Chain for wiki.squid-cache.org

On 13/01/21 11:27 pm, Dieter Bloms wrote: the wiki of squid cache project (wiki.squid-cache.org) has an incomplete certificate chain. I can't access the website with enabled sslbump and tlsv1.3 support, because squid isn't able to download the missing intermediate certificate on its own. On 14.

Re: [squid-users] WARNING: no_suid: setuid(0): (1) Operation not permitted

Yes it seems the same bug but the ticket is not relevant (FreeBSD) as i'm on Debian and on a modern kernel The main incomprehensible behavior that is issue occurs sometimes as setuid is a sticky bit permission.. squid -v output: Squid Cache: Version 4.13 Service Name: squid This binary uses